I’m not surprised to discover that Suunto has given the Spark some protection against sweat and rain. The IP55 rating doesn’t extend to the charging case, which is reasonably compact and slim enough to slip into a pocket or running belt if you need to carry it with you.

Screenshot

Suunto provides two control methods, but neither are the type I like to see on earbuds built for exercise. There are touch panels placed on the outside of both buds, which I usually find to be fiddly to use when running or with sweaty hands. Even Suunto states that single-tap controls can be easily triggered by accident. Fortunately, the controls are well spread across the speaker units, and accidental triggers were rare. These touch controls can be tapped or held to skip back and forward a track. They can also adjust volume or play and pause audio. You can additionally use them to turn on metronome and workout tracking modes. That’s all great, but I would have liked them to also switch between EQ modes.

The head gesture controls aren’t as successful. This uses some pretty standard motion sensors found inside most smartwatches to register head nods or shakes to answer or reject a call or skip a track. I’ve used these on Suunto headphones previously, and my experience hasn’t been great. If you’re walking or sitting on a bike, they’re absolutely fine. When you run, your head naturally moves around a lot, and that does lead to accidentally setting off the controls. It quickly gets annoying.

Stellar Open-Ear Sound

Photograph: Michael Sawh

Bottom line, the Suunto Spark sound great. I’ve tested a lot of open-ear earbuds and headphones, and I’d put the Spark alongside the very best, including Shokz, Anker, and Bose.

Whether it’s the overall depth of the sound or versatility of the fit, I was impressed. They’re even great at not letting the wind cut through and drown out podcasts or calls. A big part of that strong performance lies with the available EQ modes, which (as mentioned) have to be enabled from the Suunto phone app. This is the same app used to set up Suunto’s watches. It’s not the prettiest, but the headphone section is pretty straightforward to get around.

There’s four EQ presets with an additional custom option, giving you greater control over the sound profile compared to other Suunto headphones. The switch to air conduction is what makes this possible. Air conduction works by placing speakers close to your ears and behaves a lot more like traditional earbuds. One of the chief benefits over bone conduction is the ability to offer much greater sound customization.

Update June 15, 00:54 EDT: An Ivanti spokesperson told BleepingComputer that CISA added the flaw to its KEV catalog based on reports of attempted exploitation of honeypots.

“While this CVE carries a CVSS score of 10, the risk posed to customers is decreased significantly based on deployment and configuration,” the spokesperson added.

“Successful exploitation requires access to the management port 8443 and this port should never be exposed to the internet. Honeypots often have misconfigurations to identify and track malicious behavior.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.

Tracked as CVE-2026-10520, this maximum-severity vulnerability was found in Ivanti’s security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.

On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.

While Shadowserver now tracks just over 50 Sentry admin portals exposed online, it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren’t already patched are likely compromised.

“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today,” it said.

“While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised.”

​On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned. “Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset’s internet exposure and ensuring adherence to BOD 26-04 patching guidelines.”

BOD 26-04 was issued on Wednesday (superseding and revoking the older BOD 19-02 and BOD 22-01), and it requires U.S. federal agencies to prioritize patching if the asset is publicly exposed online, if the security flaw was added to CISA’s KEV catalog, if exploitation can be automated for large-scale attacks, and if successful exploitation gives attackers partial or total control of a targeted system.

While CVE-2026-10520 is the first vulnerability for which BOD 26-04 applies, in recent weeks CISA has ordered federal agencies to patch other security flaws within three days, including a Check Point VPN zero-day, a high-severity Oracle WebLogic Server vulnerability exploited in the wild, and an actively exploited cPanel plugin flaw.

Over the past several years, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 targeted by ransomware gangs.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

As is often the case, Apple has leaked its own hardware. Here are the signs that the folding iPhone and MacBook Pro with touchscreen are coming, and where they are.

The release of the first developer betas of macOS 27 Golden Gate, iOS 27, and others was followed by the inevitable deep dive into the changes. All to find out what Apple is planning for the future.

In Sunday’s “Power On” newsletter for Bloomberg, Mark Gurman lays out multiple items that were found in the initial betas relating to inbound hardware. He refers to them as the first real evidence from Apple relating to the iPhone Fold and a MacBook with a touchscreen.

The changes, he insists, are made to support the new form factors.

iPhone Fold

For the iPhone Fold, Gurman first points to the iPhone Mirroring app included in macOS 27. The tool has been updated so it can be stretched wide enough for iPad-like layouts, like an opened iPhone Fold’s main display.

There were also a number of iPhone Fold code references in iOS 27, including mentions of “foldState” and “angleDegrees” and the number of hardware displays. This would directly tie into the iPhone Fold and determining how open or closed the device is.

The last bit of evidence Gurman talks about is the direction from Apple during the WWDC keynote. Developers should be taking a concept known as app adaptability into account, namely making the same app work on a variety of screen sizes.

This could be taken to mean accounting for differences between models and generations. It’s a more extreme concept when you consider the squarer display expected from the iPhone Fold.

Touchscreen MacBook

When it comes to the touch-enabled MacBook, Gurman starts off by pointing out how Sidecar now supports full touch input access across macOS from the iPad. This could really just be a much-needed improvement to how Sidecar functions, but it can be interpreted as a precursor to the supposed MacBook.

He also writes about the tweaks to the macOS user interface to support pull-to-refresh. This is a design idea more common to smartphones and tablets, but it does work with trackpads and mice, with touch support a future possibility.

For both of these points, it certainly plays into the idea of a touchscreen interface. It seems unlikely that Apple would build them into macOS just for a better Sidecar experience.

Lastly, he claims that the new pill-shaped Siri Search and Ask interface on the Mac is something that would work on a Dynamic Island-style interface. He believes that this could be coming as part of a future touch MacBook.

Expected evidence

Normally, when we talk about leakers, we discuss their track record and how much their claims line up with the reality of the situation. When it comes to Gurman, he has a pretty good level of accuracy when it comes to leaks and rumor sourcing, making him one of the top people in the Apple rumor mill.

This time around, it’s not really a piece detailing rumors, but instead collates known facts that have surfaced in the week of availability for the betas. He’s analyzing facts, and pinning the discoveries onto some well-rumored items.

Quite frankly, he is right to do so. Both are well-rumored pieces of kit that are still ever so out of reach of consumers.

When it comes to the touchscreen MacBook, it’s something that has surfaced regularly over the years. But there are rumors about a major MacBook Pro refresh on the horizon that could use it.

Back in February, Gurman insisted that the touchscreen models will arrive by the end of 2026, complete with OLED and using a Dynamic Island at the top center of the screen. Other leakers have also chimed in on the rumors, making a fall launch seem more likely.

As for the iPhone Fold, the general specifications for the model have been rumored for quite some time. It’s even reached the point that dummy units are being produced, which is usually an indicator of an impending launch.

With the iPhone Fold expected in the fall as part of Apple’s split launch strategy, the timing of the physical models is apt.

Ultimately, Apple’s operating systems are due to arrive in the fall alongside a bunch of hardware launches. This is business as usual for Apple, and it has been this way for years.

The company has a culture of secrecy that entails hiding as much as possible from prying eyes until launches happen. But it certainly can’t hide everything, especially when it needs to get developers prepared for those fall product announcements.

They are justifiable leaks. Not only utilitarian in preparing developers, but also helping to stir the pot and excite onlookers for what’s to come.

Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.

Today’s Connections: Sports Edition is a fun one. It includes a soccer category for all of us watching the World Cup, and a category tied to the Pacific Northwest City where I live. If you’re struggling with the puzzle but still want to solve it, read on for hints and the answers.

Connections: Sports Edition is published by The Athletic, the subscription-based sports journalism site owned by The Times. It doesn’t appear in the NYT Games app, but it does in The Athletic’s own app. Or you can play it for free online.

Read more: NYT Connections: Sports Edition Puzzle Comes Out of Beta

Hints for today’s Connections: Sports Edition groups

Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: Think World Cup roles.

Green group hint: Emerald City.

Blue group hint: Not named Tom, but close.

Purple group hint: Fore!

Answers for today’s Connections: Sports Edition groups

Yellow group: Soccer positions.

Green group: Seattle teams.

Blue group: Baseball Tims.

Purple group: Golf ____.

Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words

What are today’s Connections: Sports Edition answers?

The yellow words in today’s Connections

The theme is soccer positions. The four answers are fullback, goalkeeper, midfielder and striker.

The green words in today’s Connections

The theme is Seattle teams. The four answers are Kraken, Reign, Seahawks and Storm.

The blue words in today’s Connections

The theme is baseball Tims. The four answers are  Lincecum, Raines, Salmon and Wakefield.

The purple words in today’s Connections

The theme is golf ____.  The four answers are course, polo, tee and umbrella.

Quordle was one of the original Wordle alternatives and is still going strong now more than 1,400 games later. It offers a genuine challenge, though, so read on if you need some Quordle hints today – or scroll down further for the answers.

Enjoy playing word games? You can also check out my NYT Connections today and NYT Strands today pages for hints and answers for those puzzles, while Marc’s Wordle today column covers the original viral word game.

Microsoft has fixed a known issue that caused Windows updates released since May 2025 to fail when installed via the Windows Update Standalone Installer (WUSA) from a network share.

WUSA is a built-in Windows command-line tool that helps admins install and uninstall Microsoft Standalone Update (.msu) files through the Windows Update Agent API to deploy or remove patches, updates, and hotfixes.

This known issue affects Windows 11 24H2/25H2 and Windows Server 2025 devices on enterprise networks, as WUSA isn’t a common method for installing updates on home devices. Microsoft also noted that the bug doesn’t occur with a single .msu file or when the files are stored locally.

“Windows updates installed using the Windows Update Standalone Installer (WUSA) might fail with error ERROR_BAD_PATHNAME, when the update is installed using WUSA or double-clicking a .msu file from a network share that contains multiple .msu files,” Microsoft said when it acknowledged the issue in August 2025.

“These issues might occur on devices that installed updates released May 28, 2025 (KB5058499) and later.”

Microsoft first mitigated this known issue automatically on home and non-managed business devices through a Known Issue Rollback Group Policy beginning September 2025.

Fixed in June 206 cumulative updates

As part of the June 2026 Patch Tuesday, Microsoft finally addressed this known issue for all affected systems in cumulative updates released for Windows 11 (KB5079391) and Windows Server 2025 (KB5094125).

“If you are using an update released before this date, and are experiencing this issue, you have the option to work around it by saving the .msu files locally on the device and install the update from this location,” Microsoft said in a Windows release health dashboard update.

“Also, if you’ve restarted Windows after installing an .msu file via WUSA, please wait 15 minutes or more before checking the Update History page in Settings. After this short delay, the Settings app should properly indicate if the update installed successfully.”

Microsoft resolved another issue in April 2025 preventing enterprise customers from installing the April 2025 security updates via Windows Server Update Services (WSUS), and an identical bug that caused the August 2025 Windows 11 updates to fail with 0x80240069 errors.

Earlier this week, Microsoft also warned customers that they may have issues installing the latest monthly updates on some Windows devices upgraded to Windows 11 24H2 or 25H2.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Supply-chain attacks are usually discussed after they become visible: a malicious package, a compromised software update, a malicious extension, or a breach involving a trusted vendor. But before an incident reaches that stage, the early warning signs may look much less obvious.

In underground forums and marketplaces, supply-chain relevance does not always appear under a clear label. A post may not say “supply-chain attack” at all. It may advertise GitHub access, private repositories, source code, API keys, OAuth tokens, cloud credentials, CI/CD data, or a vendor-related leak.

The supply-chain risk comes from where that access sits and what trust relationships it touches.

A recent investigation by Flare researchers of underground posts show that while it is very hard to recognize it, there are often early warning signs in the underground for software supply-chain attacks even before they are published in public as incident reports.

What is a Software Supply-Chain Attack

A software supply-chain attack targets the trusted tools, vendors, software components, services, or processes an organization relies on, instead of attacking the organization directly. In software, this can include compromising a third-party provider, developer account, source-code repository, package registry, CI/CD pipeline, update mechanism, plugin, or SaaS integration.

The danger is that once attackers compromise something trusted inside the delivery chain, they may be able to reach downstream customers, users, or internal systems through legitimate-looking access, updates, code, or integrations.

When ordinary access becomes supply-chain relevant

One of the strongest examples observed by Flare researchers involved a post (see screenshot below) advertising GitHub-related access, including references to developer accounts, private repositories, access material, and source-code exposure.

On its own, this may look like a standard access sale. But GitHub access can be more than access to code. It may expose secrets, deployment scripts, package publishing logic, cloud credentials, internal documentation, and CI/CD workflows.

That is where the supply-chain angle begins.

If attackers gain access to a developer identity or private repository, they may be able to understand how software is built, which dependencies are used, where secrets are stored, and how updates are published. In some cases, that access can enable attacks against customers, downstream users, or other connected systems.

The Vercel incident in April 2026 is another useful example because it showed how a compromise involving a trusted third-party AI tool and OAuth-connected SaaS access can create a wider security concern (even when the affected company says sensitive customer data and source code were not accessed).

For analysts reviewing underground posts, the relevance is not the incident itself, which was already public, but the type of exposure it represents: trusted integrations, SaaS accounts, internal tools, environment variables, and developer platforms connected through permissions that can be abused if one link in the chain is compromised.

This is why underground posts mentioning OAuth access, SaaS tools, environment variables, or developer platforms deserve attention, even when the initial claim is limited or unverified.

Source code is not always just intellectual property

Flare researchers also reviewed posts involving alleged vendor data and source-code exposure, including claims around Sportradar AG that were later echoed in public reporting on the broader TeamPCP supply-chain campaign.

The Sportradar case was linked to a compromised Trivy scanner and included exposure of sensitive operational material such as database passwords, API key and secret pairs, Kafka credentials, and monitoring tokens.

That is what makes the case relevant beyond the immediate breach: this kind of data can reveal how a vendor’s systems are connected, which services and integrations are trusted, and which credentials may create risk for partners or customers.

In supply-chain investigations, those details matter because the most dangerous part of a leak is not always the stolen database itself, but the access paths and trusted relationships it exposes.

A similar point appears in public reporting around TeamPCP and Mistral AI. In May 2026, reports claimed that TeamPCP was selling hundreds of alleged Mistral AI repositories. Mistral disputed parts of the claim, but the case still illustrates why source-code theft should not be viewed only as an intellectual-property issue.

Repositories may include credentials, building logic, internal service names, deployment workflows, API documentation, or references to customers and integrations.

Even when leaked source code does not provide immediate production access, it can help attackers map the environment and identify future attack paths.

Package attacks show how access can scale

The same analytical lens applies to package ecosystem incidents. Public reporting on Shai-Hulud (a self-spreading npm supply-chain attack that stole developer secrets and infected trusted packages) showed how compromised npm maintainer accounts and malicious package updates could be used to steal credentials, harvest CI/CD secrets, and propagate across repositories.

The significance was not only the malicious code itself, but the way trusted package publishing mechanisms were abused.

Discussions around Shai-Hulud-style activity and supply-chain attack competition were also observed. These posts were less concrete as victim leads, but they are useful as threat context. They show that actors are watching public package compromise techniques and discussing how they may be reused, modified, or extended.

The LiteLLM supply-chain incident provides another recent example. Public reporting described unauthorized PyPI package publishes connected to a broader compromise path involving developer and CI/CD environments. Because LiteLLM is used as an AI gateway, the incident also shows how supply-chain risk is expanding into AI infrastructure and developer tooling.

Developer environments themselves are also becoming attractive targets. Recent reporting around malicious VS Code extensions showed how trusted development tools can become a route into repositories and credentials. Extensions, plugins, and AI coding tools often sit close to source code, terminals, tokens, and internal workflows, making them valuable even when they are not part of production infrastructure.

What defenders can take from this

The reviewed posts do not prove that every underground access sale is a supply-chain threat. They do show why security teams should ask better questions when they see posts involving source code, developer accounts, SaaS access, API keys, OAuth tokens, package ecosystems, or CI/CD material.

The key question is not only, “Was data leaked?” It is also, “Could this access affect how trusted software is built, deployed, updated, or integrated?”

For defenders, this means supply-chain monitoring should include more than vulnerability disclosures and package alerts. Organizations should watch for exposed developer credentials, GitHub and GitLab access, package registry tokens, leaked repositories, CI/CD secrets, cloud keys, OAuth grants, and claims involving important vendors or software providers.

The value of underground monitoring is in recognizing these early signals before they are framed as a full supply-chain incident. 

Learn more by signing up for our free trial.

Sponsored and written by Flare.

Around 30 European family offices have told Hong Kong’s investment promotion agency that they plan to set up operations in the city, according to InvestHK. The interest accounts for roughly 19% of the 160 family office cases InvestHK is currently handling and reflects a broader European pivot toward Asia that is being driven by tax incentives, China’s technology boom, and geopolitical rebalancing.

Jason Fong, InvestHK’s global head of family office, said several Italian families attended the Wealth for Good in Hong Kong Summit in March 2026 and subsequently held strategic discussions with the agency. “For European families seeking new growth momentum, Hong Kong offers something that has become remarkably rare: certainty, resilience, stability, innovation and opportunity in a single jurisdiction,” Fong told the South China Morning Post.

The timing is not accidental. Hong Kong overtook Switzerland last year to become the world’s largest cross-border wealth management centre, with $2.95 trillion in offshore assets compared with Switzerland’s $2.94 trillion, according to Boston Consulting Group’s Global Wealth Report published in May. BCG projects the gap will widen to nearly $600 billion by 2030.

The city’s family office sector has expanded rapidly. A Deloitte study commissioned by InvestHK found that the number of single-family offices in Hong Kong rose 25% over the past two years to approximately 3,384 by the end of 2025, injecting an estimated $12.6 billion annually into the local economy through operating expenditures alone.

The tax incentives are a central draw. Hong Kong waives its 16.5% profit tax on earnings from stocks and bonds for single-family offices that hold an investment portfolio of at least HK$240 million (roughly $30.8 million), employ two staff in the city, and incur annual operating expenses of at least HK$2 million. The government is set to submit legislation this month to expand the tax exemption to cover additional investment products.

Jennifer Chan, co-founder of Orientis, a French consultancy that advises high-net-worth European clients, said geopolitical tensions have prompted some investors to reassess their global allocation. “Traditionally, European family offices tend to like to invest domestically, or they may invest in the US and the Middle East,” she said. “However, in recent years, they have started to invest in Hong Kong and other parts of Asia.”

Chan said the Middle East conflict that escalated in late February has made Hong Kong look comparatively stable. Orientis has arranged eight tours to Hong Kong for wealthy families from Germany, France, Switzerland, the Netherlands, Belgium, and Italy over the past 18 months, and some clients subsequently established family offices in the city.

The investment thesis has two prongs. The first is China’s technology sector. International investors have rushed into Chinese tech stocks since the breakthrough by AI startup DeepSeek early last year highlighted the country’s innovative potential. Chan, who is also a director of the Hong Kong Science and Technology Parks Corporation, said many family office representatives are meeting local startups at the science park, and some have already invested.

The second is Hong Kong property. Chan said European families believe the market has fallen significantly and shows signs of recovery, making it an attractive entry point.

Government promotion has been active. Financial Secretary Paul Chan Mo-po has led European roadshows to raise the city’s profile among wealthy families. Hong Kong’s growing role as a financial hub for Chinese technology companies adds to its appeal as a gateway for European capital seeking exposure to mainland innovation.

The institutional infrastructure is expanding to match. French insurer AXA launched AXA Global Private in Hong Kong on Monday to serve high-net-worth customers and family offices, with CEO Sally Wan saying the company was confident Hong Kong would remain the world’s largest offshore wealth centre. The platform bundles life insurance, wealth management, and succession services for wealthy families across Asia.

Cliff Ip Wang-hoi, chairman of the financial services committee for Greater China at CPA Australia, said Hong Kong serves as a gateway to mainland China and the Greater Bay Area. “The rapid development of the artificial intelligence and technology sectors in China presents substantial investment opportunities for European family offices,” Ip said.